HL Chronicle of Data Protectionhttps://www.hldataprotection.com
Privacy & Information Security News & TrendsMon, 20 May 2019 19:10:50 +0000en-UShourly1https://wordpress.org/?v=4.9.10Subscribe with My Yahoo!Subscribe with NewsGatorSubscribe with My AOLSubscribe with BloglinesSubscribe with NetvibesSubscribe with GoogleSubscribe with PageflakesSubscribe with PlusmoSubscribe with The Free DictionarySubscribe with Bitty BrowserSubscribe with Live.comSubscribe with Excite MIXSubscribe with WebwagSubscribe with Podcast ReadySubscribe with WikioSubscribe with Daily RotationSubscribe with FlurrySubscribe with NewsAlloySubscribe with Attensa for OutlookNIST Continues to Make Progress on its Privacy Frameworkhttp://feeds.lexblog.com/~r/ChronicleOfDataProtection/~3/Vi9jR7b7sdU/
Mon, 20 May 2019 18:44:07 +0000https://www.hldataprotection.com/?p=11546While eyes focus on the privacy legislative debate now underway in the United States, the development of a new Privacy Framework by the influential National Institute of Standards and Technology (“NIST”) is also worthy of attention. On May 13-14, 2019, NIST hosted its second workshop on the recently released discussion draft of its “Privacy Framework: An Enterprise Risk Management Tool” (“Privacy Framework”). The workshop brought together stakeholders to provide feedback on the draft and suggest areas for revision. NIST had previously hosted a workshop in October 2018 to kick off the development of the Privacy Framework and had presented its thinking at other fora such as the Brookings Institution.

The discussion draft of the Privacy Framework attempts to follow the model of NIST’s Cybersecurity Framework released in 2014, which the Federal Trade Commission has acknowledged as a tool that can promote compliance with its security expectations. Like the Cybersecurity Framework, the draft Privacy Framework outlines objectives for organizations to pursue that are focused around core themes. NIST’s stated intention is that organizations may choose whether to use the two frameworks together or independently of one another.

The draft Privacy Framework describes five core privacy “functions” for organizations to develop and implement that track the life cycle of an organization’s management of privacy risk:

Identify (organizational understanding of privacy risk);

Protect (appropriate data processing safeguards);

Control (data management measures);

Inform (communication about data processing activities); and

Respond (privacy breach mitigation and redress).

Two of these core functions (Control, Inform) have no mapping to NIST Cybersecurity Framework core functions, while two of the Cybersecurity Framework’s core functions (Detect, Recover) have no analogue in the Privacy Framework. NIST officials have stated that some of the core functions currently included in the Privacy Framework may be adjusted following the feedback received from stakeholders during the recent workshop. For example, NIST expects to broaden the “respond” function to account for ongoing privacy concerns, rather than merely isolated events. NIST also plans to refine the terminology adopted in the Privacy Framework.

One aspect of the Privacy Framework that was commended during the recent workshop, and is not expected to undergo significant revisions, is the “Privacy Risk Management Practices” appendix that outlines key steps for organizations to undertake in managing privacy risk. These include organizing preparatory resources, determining privacy capabilities, conducting privacy risk assessments, and creating privacy requirements traceability.

NIST is expected to publish a full summary and a recording of the opening half-day of the workshop in the next couple of weeks.

While achieving compliance with specific privacy rules is not the Privacy Framework’s goal, companies seeking to develop or refine their data governance programs may find the Privacy Framework’s core practices to provide a useful initial foundation. The Privacy Framework is designed to be flexible and provide organizations with a non-prescriptive set of standards for use when addressing privacy risks. These standards are intended to be risk-based and outcome-based rather than compliance based, and are intended to promote good data-governance practices within companies regardless of what regulatory framework may apply to them.

In this respect, the Privacy Framework is likely to become an important resource for companies building out their compliance programs for the California Consumer Privacy Act and/or the European Union’s General Data Protection Regulation, and for companies anticipating the eventual enactment of additional federal privacy legislation.

There will be a webinar discussion on May 28 to follow up on the recent workshop, including an opportunity to ask questions and present feedback on the discussion draft. The next Privacy Framework workshop will take place on July 8-9 in Boise, Idaho, and NIST has stated that it is open to feedback at all times. NIST plans to finalize the Privacy Framework in October 2019.

Data forms the cornerstone of the current economy. Last year, the GDPR and the EU Trade Secrets Directive together updated the legal framework for the protection of the most important data in a company: personal data and trade secrets. With these developments in mind, the seminar will consider the overlap between the two regimes and why companies must consider them together in order to fully utilize the possibilities for data protection.

The in-person seminar will be presented in Dutch.

This seminar is of interest to in-house counsel, in-house patent attorneys, privacy officers, CISO’s and IT managers. To sign up, click here.

]]>https://www.hldataprotection.com/2019/05/articles/news-events/amsterdam-seminar-protect-your-data/Cybersecurity Standards for the Insurance Sector – A New Patchwork Quilt in the US?http://feeds.lexblog.com/~r/ChronicleOfDataProtection/~3/4D2Ls3iiKiU/
Mon, 13 May 2019 21:45:14 +0000https://www.hldataprotection.com/?p=11506In the past two years, multiple state bills that have been introduced in the US to provide for cybersecurity requirements and standards to the insurance sector, with recent legislative activity taking place in particular within the States of Ohio, South Carolina, and Michigan. The entering into effect of multiple state laws in this area may present challenges for insurance providers operating in states where such cybersecurity requirements are provided for.

Major data breaches in recent years are spurring state legislators and regulators across the US into action. Of particular concern to state-level policymakers and enforcement authorities are business practices that in their view may contribute to security incidents.

The insurance industry has not been immune from such scrutiny, and the imposition of business practice requirements intended to enhance cybersecurity sector-wide. For example, the New York Department of Financial Services (‘NYDFS’) in March 2017 issued its Cybersecurity Regulation (23 NYCRR 500) (‘the NYDFS Cybersecurity Regulation’), a groundbreaking and far-reaching regulatory regime focused on financial institutions licensed in New York, including insurance companies. Later that year, the National Association of Insurance Commissioners (‘NAIC’) adopted its Insurance Data Security Model Law (‘the NAIC Model’) as a framework cybersecurity law for the insurance industry. Additionally in 2017, Connecticut passed legislation requiring that health insurers, third-party administrators, and related entities implement and maintain a comprehensive information security program with specific minimum requirements to protect insureds’ personal data.

Now various state legislatures, with a boost from the NAIC and New York activity, are increasingly focusing on the insurance sector. Three States – Ohio, Michigan, and South Carolina – have recently enacted into law variations of the NAIC Model. More states are sure to follow.

To date, state legislatures have hewn fairly closely to the NYDFS and NAIC approaches, avoiding the enactment of conflicting requirements that might make compliance materially more burdensome and complicated. This is a promising trend for insurers with multi-state operations, but vigilance is warranted, particularly in light of the very active state legislative and enforcement environment in this area¹. Furthermore, in light of the current legislative debate over the value of federal preemption to help ensure consistency of privacy and data security regulation, all sectors may find of interest the progress and practical impact of state-level insurance cybersecurity regulation in the US.

The NYDFS Cybersecurity Regulation is groundbreaking in several ways, including for the granularity of its requirements. To date, most other state data security laws have required covered entities to implement ‘reasonable’ data security without much specificity as to what must be done to meet that standard². At the federal level, the Gramm-Leach-Bliley Act of 1999 (‘GLBA’), which state insurance commissioners oversee through their own respective state laws and regulations³, takes a process-oriented approach to data security requirements, eschewing specificity. In contrast, the NYDFS Cybersecurity Regulation specifies in considerable detail the policies, procedures, and safeguards that a covered entity must implement based on risks and vulnerabilities identified during periodic cybersecurity risk assessments.

The NYDFS Cybersecurity Regulation also expands the scope of covered data, by defining ‘non-public information’ to include not only the types of information traditionally covered by other data security laws, including data breach notification laws, but also other data for which compromise poses a material risk to the business or its operations.

Additionally, the NYDFS Cybersecurity Regulation requires breach reporting within 72 hours to the NYDFS. Reporting obligations are triggered by an incident affecting any information a covered business maintains that could be reasonably likely to materially harm operations, or that triggers some other regulatory notification⁴.

The NAIC Model reﬂects the NYDFS Cybersecurity Regulation, and offers states a common approach

The NAIC’s Model Law is intended to apply to any individual or nongovernmental entity that is licensed, authorised, or registered under insurance laws, as well as industry service providers (licensees). It is notable that a NAIC taskforce had been evaluating industry cybersecurity standards since 2015, but following the enactment of the NYDFS Cybersecurity Regulation, the taskforce substantially revised its planned approach to mirror the NYDFS Cybersecurity Regulation’s terminology and requirements⁵.

The NAIC Model, which leverages and builds on core GLBA and NYDFS Cybersecurity Regulation requirements, includes requirements to:

Develop, implement, and maintain a comprehensive, risk-based information security programme: The programme must encompass administrative, technical, and physical safeguards to protect non-public consumer information and the licensee’s information systems. The chosen safeguards should be commensurate with the size and complexity of the business, as well as responsive to the risks identified during regular risk assessments. Like the NYDFS Cybersecurity Regulation, covered information (i.e., nonpublic information) under the NAIC Model is broader than the personal information historically covered by the GLBA and state data security laws.

Implement appropriate security measures: The NAIC Model offers a list of common security measures that each licensee should implement as appropriate. Such measures include access limitations, multi-factor authentication, encryption of non-public information during transit and on portable devices, intrusion detection mechanisms, audit trails, data retention and disposal practices, and disaster recovery and business continuity plans.

Have an incident response plan: Each licensee must have a written incident response plan designed to promptly respond to and mitigate any cybersecurity incident. The NAIC Model contains specific plan requirements, such as internal response processes, clearly defined roles and decision-making authority, managed internal and external communications, incident documentation procedures, and mechanisms for post-incident revision and remediation.

Report cybersecurity events: The NAIC Model provides a very detailed process by which a licensee must notify the state insurance commissioner of ‘cybersecurity events.’ An event must be reported to the state regulator if either (i) the state is the insurance licensee’s state of domicile or its home state; or (ii) the compromise of non-public information of at least 250 state residents requires reporting pursuant to another applicable law, or creates a reasonable likelihood of material harm to a consumer or business operations. Reporting must occur within 72 hours of discovering the event. Licensees must retain for five years all records concerning a cyber event, and must make those records available to the commissioner upon request.

Train employees: Licensees must provide security awareness training to employees. Licensees are also responsible for monitoring legal and threat developments in the cybersecurity landscape and for updating their training program (as well as security safeguards) to reflect these developments.

Involve the board: Under the NAIC Model, a licensee’s board of directors is ultimately responsible for overseeing the information security program. The board must receive an annual report on the overall status of the security program.

Conduct planned security assessments: The NAIC Model requires licensees to ‘no less than annually, assess the effectiveness of the safeguards’ key controls, systems, and procedures.’ This broad language leaves room for variances at the state level for tighter timeframes or more specific required testing. For example, the NYDFS Cybersecurity Regulation requires annual penetration testing and vulnerability scanning, which are two of the many types of assessments that might satisfy the NAIC Model requirement.

Oversee vendors: Licensees must exercise due diligence by vetting vendors prior to onboarding, and must contractually require vendors to implement appropriate safeguards to protect non-public consumer information and information systems. If a cyber event occurs within a vendor’s systems, licensees must launch an investigation to gather information about and document the event.

Certify compliance annually: Licensees must annually certify their compliance with the applicable state law with the state insurance commissioner. Additionally, licensees must retain for five years all records, schedules, and data supporting their compliance.

Additionally, the NAIC Model offers an exception that presumably is intended to facilitate greater cooperation and information sharing with the state insurance department by licensees about threats and security incidents. Any materials acquired by the state insurance department in the course of enforcing the state law are deemed privileged and confidential, and thus would not be subject to the Freedom of Information Act of 1966 or subpoena, nor would such information be discoverable or admissible as evidence in a lawsuit.

Recent state actions

While influential on its own, the NAIC Model is meant to be enacted into law. Upon approving the NAIC Model in October 2017, the NAIC called upon ‘legislatures or regulatory bodies to adopt [the NAIC Model], with as few changes as possible, in a majority of states within three years.’ To date, South Carolina, Ohio, and Michigan have adopted a version of the NAIC Model. Thus far, the state laws closely follow the NAIC Model, but with some differences in the details.

The South Carolina Insurance Data Security Act (‘the South Carolina Bill’) was signed into law on 3 May 2018 and became effective on 1 January 2019, with delayed enforcement of the written information security and vendor management programmes until 1 July 2019 and 1 July 2020, respectively. The South Carolina Act requires that insurers, agents, and other licensed entities doing business in the State implement a comprehensive written information security program that is appropriate to the size of the licensee, the licensee’s activities, and the sensitivity of consumer information the licensee handles. The South Carolina Act maintains the 72-hour breach reporting deadline to the insurance regulator, and generally aligns with the NAIC Model. The Director of the South Carolina Insurance Department is empowered to issue regulations to implement the South Carolina Bill, a provision included in the NAIC Model.

On 19 December 2018, Ohio became the second State to adopt a law based on the NAIC Model. Ohio Senate Bill 273 (ORC §§3965.01-11) (‘the Ohio Bill’) is enforceable on 20 March 2020, but allows licensees an additional year to implement the written information security program and an additional two years to establish a vendor management programme. The Ohio Bill generally mirrors the NAIC Model, including by imposing a breach reporting deadline of three business days, but with two notable differences. First, a licensee in compliance with the Ohio Bill has an affirmative defense to an Ohio tort claim that alleges the company’s lack of reasonable cybersecurity controls caused a data breach. Ohio’s cyber ‘safe harbour’ is a first-of-its-kind measure. Over time, such safe harbours could become useful legislative tools to encourage companies to invest in compliant information security programs. Second, the Ohio Bill specifies that, as to insurance licensees, it ‘constitutes the exclusive state standards and requirements applicable to cybersecurity events, the security of nonpublic information, data security, investigation of cybersecurity events, and notification to the superintendent of cybersecurity events.’ The exclusivity provision does not appear to rule out the applicability of Ohio’s breach notification rules for individual notification, which the Ohio Bill does not address. As with South Carolina, the Ohio Superintendent of Insurance can issue regulations as necessary to carry out the Ohio Bill.

On 28 December 2018, Michigan became the third state to adopt a law based on the NAIC Model with Michigan House Bill 6491 (MCL §500.550) (‘the Michigan Bill’). The Michigan Bill is nearly identical to the South Carolina Bill. However, the Michigan Bill gives licensees ten business days from determination of a cyber incident to notify the State regulator, a generous deviation from South Carolina’s 72-hour rule. The Michigan Bill is enforceable as of 20 January 2021, with delayed enforcement of one year for the written information security program provisions and two years for the vendor management program provisions.

Like the NAIC Model, the South Carolina Bill, the Ohio Bill, and the Michigan Bill do not supersede existing state breach notification rules for notification thresholds, and content requirements for individual consumer data breach notifications. However, these new bills do contain slight, but important, variations for state insurance regulator notifications. Following the NAIC Model, the South Carolina Bill calls for reporting to the State regulator if either (i) South Carolina is the insurance licensee’s state of domicile or home state; or (ii) the compromise of nonpublic information of at least 250 South Carolinians requires reporting pursuant to another applicable law or creates a reasonable likelihood of material harm to a consumer or business operations. Ohio and Michigan take a slightly different approach, in that the risk of harm threshold applies even where notice is based on the state being the licensee’s domicile or home state. The NAIC Model, the Ohio Bill, the Michigan Bill, and the South Carolina Bill all have detailed content requirements for the notices.

In contrast, the NYDFS Cybersecurity Regulation requires notice of cybersecurity events to the NYDFS only when the event must be reported pursuant to another applicable law, or is reasonably likely to cause material harm to normal operations of the business. It does not separately include an assessment of harm to consumers. The NYDFS Cybersecurity Regulation also does not include detailed content requirements for notices.

What’s next?

It is reasonable to expect additional states to move forward with similar legislative initiatives focused on insurance sector cybersecurity. It is unclear how quickly this will occur, and whether forthcoming state laws will remain reasonably consistent with the NAIC Model. At the time of publication, relevant legislative activity is underway in at least Rhode Island, Mississippi, Nevada, New Hampshire, and Oregon, and in addition, the Washington State Office of the Insurance Commissioner included adoption of the NAIC Model in its 2019 legislative agenda.

What is also notable is the effect that the NYDFS Cybersecurity Regulation and the NAIC Model are having on federal regulators. On 5 March 2019, the Federal Trade Commission (‘FTC’) announced it will be seeking comments on proposed amendments to its GLBA Security Rule, which currently imposes high-level, process-oriented requirements. In proposing more expansive requirements, the FTC expressly acknowledged the influence of the NYDFS Cybersecurity Regulation and the NAIC Model⁶.

To remain compliant, insurance industry licensees will need to continue monitoring state developments and updating their information security programmes as new requirements and variants of existing requirements are enacted.

This article was first published in DataGuidance (April 2019).

[1] Uber’s agreement in September 2018 to pay a record $148 million to settle a state attorneys general data breach investigation is a noteworthy example of such enforcement activity.

[2] While some state insurance laws and regulations have included data security provisions for some time, the first detailed state data security requirements were in the Massachusetts Data Security Regulation of 2010. See 201 CMR 17.00. The Massachusetts Data Security Regulation of 2010 is of general applicability and is not sector-specific. It prescribes that companies have a written information security programme with appropriate vendor oversight and technical security controls, but the NYDFS Cybersecurity Regulation and the NAIC Model Law are even more detailed in their requirements for financial institutions and insurance companies, and apply to a broader set of data.

[3] In recognition of the McCarran-Ferguson Act of 1945, which exempts the business of insurance from most federal regulation, the GLBA specifies that ‘[n]othing in this paragraph shall be construed to alter, affect, or otherwise limit the authority of a State insurance authority to adopt regulations to carry out this subchapter,’ i.e., the GLBA data security provisions. See 15 USC §6804(a)(1)(D), and 15 USC §6701 (clarifying that the McCarran-Ferguson Act of 1945 remains the law of the US).

[5] While the NAIC Model still differs from the NYDFS Cybersecurity Regulation in some respects, to address concerns about such inconsistency the NAIC Model states that licensees in compliance with the NYDFS Cybersecurity Regulation are deemed to be in compliance with the NAIC Model.

]]>https://www.hldataprotection.com/2019/05/articles/cybersecurity-data-breaches/cybersecurity-standards-for-the-insurance-sector-a-new-patchwork-quilt-in-the-us/Hogan Lovells Privacy and Cybersecurity Practice Ranked as a Top-Tier Practice by Chambers USA for 8th Consecutive Yearhttp://feeds.lexblog.com/~r/ChronicleOfDataProtection/~3/RXRFxY-fP_0/
Fri, 10 May 2019 18:18:46 +0000https://www.hldataprotection.com/?p=11491Chambers USA recently released its 2019 rankings and we are pleased to announce that Hogan Lovells’ Privacy and Cybersecurity (PaC) practice once again received Band 1 recognition by Chambers USA. Chambers noted that PaC “[r]emains one of the country’s preeminent privacy and data security practices. A highly talented roster of attorneys advising clients on major data breaches and complex policy matters across a multitude of industries, including retail, automotive and media.”

Several of our team members also were individually recognized. Marcy Wilder, PaC’s global co-lead, was ranked in Band 1 of the Privacy & Data Security: Healthcare category. Harriet Pearson was ranked Band 1 in the Privacy & Data Security category. And Chris Wolf, PaC’s former co-lead and current senior counsel, was recognized as a senior statesperson in the Privacy & Data Security category. Click here to read what Chambers USA reported about these PaC team members.

]]>https://www.hldataprotection.com/2019/05/articles/news-events/hogan-lovells-privacy-and-cybersecurity-practice-ranked-as-a-top-tier-practice-by-chambers-usa-for-8th-consecutive-year/GDPR – The Work Aheadhttp://feeds.lexblog.com/~r/ChronicleOfDataProtection/~3/hhCIgwywRYA/
Thu, 09 May 2019 13:45:07 +0000https://www.hldataprotection.com/?p=11484The sky has not fallen. The Internet has not stopped working. The multi-million euro fines have not happened (yet). It was always going to be this way. A year has gone by since the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) became effective and the digital economy is still going and growing. The effect of the GDPR has been noticeable, but in a subtle sort of way. However, it would be hugely mistaken to think that the GDPR was just a fad or a failed attempt at helping privacy and data protection survive the 21st century. The true effect of the GDPR has yet to be felt as the work to overcome its regulatory challenges has barely begun. So what are the important areas of focus to achieve GDPR compliance?

An essential ‘GDPR To Do’ list for the months ahead looks as follows:

Nail the basics – As regulatory guidance on some of the essential aspects of the law – from its extra-territorial applicability to the lawful grounds for processing – continues to pour in, determining the appropriate legal basis for the use of personal data has become an absolute priority. Regulators expect nothing else than a solid foundation matched by a wholly transparent approach through a crystal clear and comprehensive privacy notice.

Meet individuals’ demands – After the initial influx of data subjects’ requests in the early days of the GDPR, the pace of requests seems to have taken a ‘business as usual’ level. However, since EU data protection law is still primarily about putting people in control of their data, dealing with any requests from individuals seeking to exercise their rights under the law should always be a top priority.

Adopt a credible Data Protection Impact Assessment (‘DPIA’) strategy – Of all the new accountability requirements in the GDPR – aside from the role of the data protection officer – carrying out DPIAs is likely to be the single most important contributor to ensuring compliance with the law. For this reason, regulators often seek to understand how organisations are deploying DPIAs and dealing with the outcomes of this practice.

Engage with the regulators – One of the most significant features of the GDPR from a practical compliance perspective is its enforcement arrangements. Central to this is the One Stop Shop system of supervision, which gives a single regulator full competence to oversee the pan-European data processing activities of an organisation. This approach is still compatible with the multi-country data protection authorities and as a result, a well-thought out strategy for regulatory engagement will be essential for many organisations.

Prepare for data security incidents – 72 hours to decide whether to report a data security incident is a very short timeframe. Experience shows that the most sensible way of dealing with the inevitable incident is to be ready for it and, particularly, to know how to assess the possible risk for individuals in order to determine whether to report it and if so, how.

Legitimise global data flows – One of the unintended consequences of Brexit has been to highlight once again the importance of legitimising international data transfers. This is not a new issue but adopting a workable and future-proof strategy to enable global data flows is a must. For many organisations this may start with intra-group agreements and evolve towards BCR, but whatever the mechanism used, it should be kept under review.

Ultimately, the key point to remember is that meeting the GDPR’s requirements is an ongoing endeavour. One could never regard it as a job done. Having adopted a GDPR compliance programme, organisations need to keep it alive without ever losing focus of what matters most and how the law is evolving. Complete certainty might be an unachievable goal but being alert to the practical priorities and getting on with the work will go a long way.

This article was first published in Data Protection Leader (May 2019).

]]>https://www.hldataprotection.com/2019/05/articles/international-eu-privacy/gdpr-the-work-ahead/Webinar on Hacking 101: How it works and how to mitigate riskhttp://feeds.lexblog.com/~r/ChronicleOfDataProtection/~3/OBK1jsjoGkA/
Tue, 07 May 2019 13:35:26 +0000https://www.hldataprotection.com/?p=11471Please join the Hogan Lovells Privacy and Cybersecurity team on May 15 for our webinar, Hacking 101: How it Works and How to Mitigate Risk. We will explore how certain common hacks work from a technical perspective and how to mitigate related risks from a legal and compliance perspective.

Cyberattacks have become a top-of-mind risk for many organizations. Lawyers, privacy officers, compliance officers, and executives are key figures in helping manage such risks, but many may not understand how various hacks work. Understanding the technical details of how certain common hacks work can prepare you for everything from drafting policies and agreements to managing compliance and incident response efforts. In this webinar, we aim to better equip you to be able to peel back the surface of the technical details to better understand how those details might affect a company’s obligations and risks.

This webinar is for all audiences, whether you have a technical background or not. We will give examples of known techniques cyberattackers use to compromise applications remotely, look at samples of code that may be vulnerable, and explain what is going on inside the application that makes these attacks viable. We will cover man-in-the-middle attacks, client side attacks, SQL injection, and buffer overflows. And we intend to address those topics in a way that will make sense to lawyers and executives, as well as IT and security professionals.

CLE credit will be offered for webinar attendance. To register for the webinar, click here.

]]>https://www.hldataprotection.com/2019/05/articles/news-events/webinar-on-hacking-101-how-it-works-and-how-to-mitigate-risk/NIST Seeking Input on AI Technical Standards by May 31, 2019http://feeds.lexblog.com/~r/ChronicleOfDataProtection/~3/BaLu2N2KqHc/
Thu, 02 May 2019 17:02:38 +0000https://www.hldataprotection.com/?p=11464On May 1, 2019, the National Institute of Standards and Technology (NIST) announced a Request for Information (RFI) in the Federal Register regarding ongoing efforts to develop technical standards for artificial intelligence (AI) technologies and the identification of priority areas for federal involvement in AI standards-related activities. Responses to the RFI are due by May 31, 2019.

The RFI comes in response to President Trump’s Executive Order to Maintain American Leadership in Artificial Intelligence, which among other actions directs NIST to develop a plan to guide the federal government’s engagement with initiatives to develop technical standards for AI technology (Plan). This RFI, along with others released by this Administration, reflect a desire to promote AI technologies that enhance America’s interests and strengthen the public’s trust and confidence in AI.

According to the RFI, NIST is seeking input from a variety of stakeholders, including industry, academia, and civil society, with the hopes of understanding more fully the following topics:

The current status and plans regarding the availability, use, and development of AI technical standards and tools in support of reliable, robust, and trustworthy systems that use AI technologies;

Needs and challenges regarding the existence, availability, use, and development of AI standards and tools; and

The current and potential future role of Federal agencies regarding the existence, availability, use, and development of AI technical standards and tools to meet the nation’s needs.

To achieve a better understanding of the points above, NIST identifies 18 specific topics that it considers to be the “major areas” about which it needs more information. NIST categorizes these topics into three groupings:

AI Technical Standards and Related Tools Development: Status and Plan

Defining and Achieving U.S. AI Technical Standards Leadership

Prioritizing Federal Government Engagement in AI Standardization

NIST will also be gathering information from the public through additional means, including public workshops, and it plans to release the draft Plan for public comment. It has also published a page dedicated to the AI Standards effort.

Bret Cohen will speak on the Privacy Bar Section Forum panels, “Working Across Borders: Partnering and Vetting,” and “Case Study: How Working Across Borders Worked for Me,” during the 2019 IAPP Global Summit.

Harriet Pearson will lead a discussion on security operations that may have privacy implications, such as insider threat programs, information sharing, and systems monitoring during the session “Cybersecurity and Privacy: Can They Coexist?” at the 2019 Georgetown Cybersecurity Law Institute. To find out more information or register, please click here.

Location: Washington, D.C.

]]>https://www.hldataprotection.com/2019/04/articles/news-events/privacy-and-cybersecurity-may-2019-events/HIPAA Penalty Caps to Be Reduced and Tied to Culpability Levelhttp://feeds.lexblog.com/~r/ChronicleOfDataProtection/~3/KPArILfvJdU/
Mon, 29 Apr 2019 22:41:57 +0000https://www.hldataprotection.com/?p=11431In a dramatic turn, the US Department of Health and Human Services (HHS) has announced that effective immediately, penalties for many HIPAA violations will be subject to substantially reduced limits. After a record year of collecting high-dollar settlements, the agency has pulled back and tied its own hands through a Notification of Enforcement Discretion that will likely result in lower penalties and settlement agreement amounts.

(1) the person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision;

(2) the violation was due to reasonable cause, and not willful neglect;

(3) the violation was due to willful neglect that is timely corrected; and

(4) the violation was due to willful neglect that is not timely corrected.

The HITECH Act tied increased penalties to the level of culpability associated with a violation. In interpreting the HITECH Act enforcement provisions, however, the Department identified inconsistencies in the descriptions of penalty ranges and, while promulgating an updated Enforcement Rule in 2009, stated a position that the HITECH Act provided the Secretary with discretion to impose penalties up to the maximum amount described in the highest penalty tier for each culpability level. Thus, prior to this recent exercise of “enforcement discretion” the Department interpreted the HITECH Act to allow an annual limit of $1.5 million per HIPAA violation per year, regardless of the level of culpability.

HHS’s New Interpretation

The Notification of Enforcement Discretion states that upon further review, HHS has determined that a “better reading” of the HITECH Act is to apply tiered annual limits, ranging from $25,000 to $1.5 million, depending on the level of culpability. In light of this new determination, and as a matter of its enforcement discretion, HHS is announcing revised annual CMP limits for HIPAA violations with the expectation to codify the new interpretation as part of a future rulemaking process. HHS will use this new penalty tier structure going forward for all HIPAA enforcement actions with adjustments for inflation:

This change in the agency’s interpretation of the HITECH Act and its exercise of enforcement discretion comes as MD Anderson Cancer Center in Texas is asking the Fifth Circuit to overturn a ruling by an HHS administrative law judge upholding a $4.3 million HIPAA penalty. MD Anderson is also challenging HHS’s authority to impose the CMP in a suit filed against the HHS Secretary in federal district court. Among other arguments, MD Anderson asserts that the Secretary exceeded his authority by imposing a CMP beyond the statutory caps. MD Anderson argued in its complaint that under the statute, “Reasonable Cause” violations OCR alleged in the case must be capped at $100,000 per violation per year and that the Secretary erroneously imposed the highest level penalty cap of $1.5 million, which renders the culpability-specific caps in the law meaningless “in violation of basic statutory construction principles.” HHS’s newly revised interpretation of the annual cap for a “Reasonable Cause” violation to $100,000 aligns with MD Anderson’s position. OCR Director Roger Severino told reporters Friday that the announcement is not connected with the ongoing MD Anderson cases.

Potential Further Focus on Culpability

The significantly reduced annual limits for HIPAA violations—other than those due to uncorrected willful neglect—will likely bring into focus levels of culpability in the enforcement process. Under the Department’s prior interpretation, which allowed for a $1.5 million maximum penalty regardless of culpability tier, the Department could threaten significant CMPs in its investigations regardless of the level of culpability of the organization. A renewed focus on culpability provides incentives for covered entities and business associates to demonstrate good faith compliance efforts, so that any enforcement action would be subject only to the lower penalty tiers. In fact, under the new framework, organizations have significant financial incentives to correct potential “Willful Neglect” violations in a timely manner, to avoid the penalties associated with the highest tier.

If the Department’s historical approach to enforcement is any indication, this shift is likely to result in lower penalties or at least fewer large enforcement actions of the type we have seen in recent years. The Department previously touted 2018 as an “all-time record year for HIPAA enforcement” measured by $28.7 million in penalties collected. Under the new penalty structure, many of the enforcement actions of previous years likely would have been lower. Director Severino stated Friday that close to 40% of enforcement actions to date have included at least one count of uncorrected willful neglect for which the annual penalty tier is not changing. That means that more than half of enforcement actions did not include any alleged violations at the highest penalty tier; in fact, the CMPs that OCR has imposed for HIPAA violations in recent years have included only “Reasonable Cause” allegations, including in MD Anderson (settlements do not publish detailed culpability tiers for alleged violations).

The Department’s announcement has significant implications for current and future HIPAA enforcement actions that we will continue to monitor.

]]>https://www.hldataprotection.com/2019/04/articles/health-privacy-hipaa/hipaa-penalty-caps-to-be-reduced-and-tied-to-culpability-level/South Africa Data Protection Regulations Expected to Take Effect in 2019http://feeds.lexblog.com/~r/ChronicleOfDataProtection/~3/1JHLxO5cQCw/
Fri, 26 Apr 2019 13:43:36 +0000https://www.hldataprotection.com/?p=11415Although South Africa’s first comprehensive piece of data protection legislation, the Protection of Personal Information Act (POPIA), was originally signed into law in November 2013, the substantive provisions of the law have not yet taken legal effect. That is likely to change since South Africa’s data protection authority, the Information Regulator, published the final draft of its POPIA regulations in December 2018.

Although the Information Regulator has not indicated exactly when those regulations will become final, it has indicated that the full implementation of POPIA should follow shortly thereafter. Section 114 of POPIA provides that once the law is fully implemented, its substantive provisions will become enforceable after a one-year transitional period. So, to the extent that the POPIA Regulations are finalized at some point in 2019, its substantive provisions will become enforceable one year later in 2020.

Interestingly, parts of POPIA’s structural rules already took effect in April 2014. These are:

Section 1, which contains the definitions;

Part A of Chapter 5, which regulates, among other things, the establishment, duties and powers of the Information Regulator; and

Sections 112 and 113, which regulate the right of the Minister of Justice and Constitutional Development to issue regulations and the procedures to do so.

In line with Part A of Chapter 5, the Information Regulator was established and took office in December 2016. However, POPIA’s substantive obligations and penalty provisions are still not in effect because, as outlined by the Information Regulator in a 2016 media statement regarding those provisions, they only can be implemented once the Information Regulator has reached a “stage of operational readiness.”

Despite POPIA not being fully in effect, the Information Regulator has emphasised the need for regulation and has urged companies to start complying with its provisions ahead of its implementation. The Information Regulator also has written to companies, reminding them of their data privacy obligations once the law does take effect. For example, it has sent letters to companies following data security incidents, requesting information that would need to be made available under POPIA such as how the incident occurred, the extent and materiality of the incident, interim measures put in place to prevent further compromise, security measures put in place to prevent a recurrence of similar incidents, and measures taken to inform affected data subjects of the incident in order to allow them to take proactive measures against potential consequences.

Companies operating in South Africa who wish to get a head start on POPIA compliance can reasonably rely on the Information Regulator’s draft final POPIA Regulations. Many of POPIA’s requirements are modelled after UK law, so companies operating in the UK or Europe might look to their UK/European data protection compliance programs to begin building compliance programs that address analogous obligations of POPIA.